firewall testing update

Firewall Testing Update

Paul Schopis

pschopis@itecohio.org

Overview

• Problem Statement

• Participants

• Problem Classification

• Scope of Current Testing

• Preliminary Results

Participants

• Terri Beamer – Denison (Check Point)

• Joe Simpson – Miami ( PIX )

• Tom Ridgeway – UC (PIX)

• Greg Trefz – Stratacache (Packeteer)

• Gene Bassin/Jason MacDonald – OARnet IOS Firewall

Reported Problems

• H.323 won’t work at all.

• Connection gets made but performance is not good.

• H.323 seems to be in a state of flux e.g. it changes over time (can get better or worse).

So what are the problems?

• Protocol Specific – Firewall assumes it is an attack– NAT is generally bad for H.323

• Packet Handling– Does firewall exceed necessary parameters for

good performance to meet security need?

• Network in Conjunction with other two– Traffic Bursts

Scope of Current Testing

• We know what is necessary for good H.323 sessions– http://www.adec.edu/nsf/Traffic%20draftv3.

0.pdf

– http://www.adec.edu/nsf/Summary%20Test%20H.323.v7.pdf

• Is it simply a case of poor performance at the packet layer?

Basic Testing Procedure

• Use Smartbits 600 with SmartFlow and SmartWindow

• Added VoIP PSQM for further insight• Find effective throughput without

filtering e.g. baseline• Test by systematically varying

allowed/denied traffic ratio to find performance bounds.

Preliminary Results

• Cisco 2651

• Running IOS Firewall Suite

• Version 12.2(7c)– 2600-dos3s-mz.122-7c.bin

• Tested on two Fastethernet ports

Raw Throughput

• Max @ 1518 Byte Frames (Including ethernet header and FCS fields) 27.578 Mbps

• Min @ 64 Byte Frames 12.109 Mbps

Raw Latency

• Jitter = Max - Min• Max Jitter @ 128 Byte packet 10 Mbps

Load 118ms• Min Jitter @ 256 Byte Packet 20 Mbps

Load 1ms• Packet Sizes 128-1518 bulk of 10-50ms

Latency • 1152 at 10-20 Mbps down ward shift

Throughput Filtered

• Max @ 1518 Byte Packet 20Mbps– ~26% hit

• Min @ 64 Byte Packet 4.375 Mbps– ~67% hit

Latency Filtered

• Max @ 64 Byte Packet 20 % load 57ms Jitter

• Min @ 64 Byte Packet 10% Load less than 1ms

• Latency Distribution – 100-50ms below 128 Bytes– 50-10ms around 256– 100-50ms at 1024 bytes

Throughput Mix

• 20/5– Max @ 1518 Byte Packets is 20 Mbps– Min @ 64 Byte Packets is 2.687 Mbps

• 15/10– Max @ 1518 Byte Packets 11.875 Mbps– Min @ 64 Byte Packets is 1.562 Mbps

• 10/15– Router dies

Jitter Mix• 20/5

– Max @ 64 Byte Packets is 135ms STD 6.234 ms

– Min @ 512 Byte Packets is 6ms STD 2.295 ms

• 15/10– Max @ 64 Bytes is 112ms STD 5.6 ms– Min @ 1280 Bytes is 12 ms STD 6.206 ms

• 10/15– Death

Latency Distribution Mix

• 20/5– Lt 512 is 50-100ms range

• 15/10– Ditto

PSQM

• 0 is best

• 6.5 is worst

• Not real measure for H.323 but might help give insight

• G.711 ulaw = 218 byte frames e.g. four codec frames per packet

• It is less than 1% of traffic

64 byte background

128 Byte Background

256 Byte Background

512 Byte Background

1024 & 1518 Byte Background